Many folks here have PMed me about security policy writing. I figured I'd answer in a public arena so that everyone can benefit.
Here are tw RFCs that are great places to begin your adventure:
http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2196.html
http://rfc.sunsite.dk/rfc/rfc2504.html
Look these over and you should have a good idea of how to begin and how to tighten your policies.
Hoe this helps!
--TH13